Closed
Bug 921553
Opened 11 years ago
Closed 11 years ago
Fix some rooting hazards that crept into bindings code
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla27
People
(Reporter: bzbarsky, Assigned: bzbarsky)
Details
Attachments
(1 file)
3.07 KB,
patch
|
peterv
:
review+
|
Details | Diff | Splinter Review |
Two things. 1) UnionTypes.cpp ends up with code like this: nsresult rv = UnwrapObject<prototypes::id::HTMLVideoElement, mozilla::dom::HTMLVideoElement>( cx, &value.toObject(), SetAsHTMLVideoElement()); The second arg is a hazard if the third arg gcs. We should just store that third arg in a stack temporary before we do this code, so we end up with something more like this: OwningNonNull<mozilla::dom::HTMLVideoElement>& memberSlot = SetAsHTMLVideoElement(); { nsresult rv = UnwrapObject<prototypes::id::HTMLVideoElement, mozilla::dom::HTMLVideoElement>( cx, &value.toObject(), memberSlot); 2) ConvertJSValueToByteString has an unrooted JSString on the stack that I think is in fact safe, but it's easy enough to shut up the analysis here by rooting it... and safer in the long run.
Assignee | ||
Comment 1•11 years ago
|
||
Attachment #811245 -
Flags: review?(peterv)
Assignee | ||
Updated•11 years ago
|
Whiteboard: [need review]
Updated•11 years ago
|
Attachment #811245 -
Flags: review?(peterv) → review+
Assignee | ||
Comment 2•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/2c7230203ec2
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla27
Comment 3•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/2c7230203ec2
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•